Bug#1060693: marked as done (qt6-base: CVE-2023-51714)

To: Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#1060693: marked as done (qt6-base: CVE-2023-51714)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 13 Jan 2024 20:06:05 +0000
Message-id: <[🔎] handler.1060693.D1060693.17051762582734278.ackdone@bugs.debian.org>
Reply-to: 1060693@bugs.debian.org
References: <[🔎] ZaLsvtJFUZ2HLPsj@eldamar.lan> <ZaG5JGKW/SzzzVd7@pisco.westfalen.local>

Your message dated Sat, 13 Jan 2024 21:04:14 +0100
with message-id <[🔎] ZaLsvtJFUZ2HLPsj@eldamar.lan>
and subject line Re: Accepted qt6-base 6.4.2+dfsg-21 (source) into unstable
has caused the Debian Bug report #1060693,
regarding qt6-base: CVE-2023-51714
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1060693: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060693
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: qt6-base: CVE-2023-51714
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 12 Jan 2024 23:11:48 +0100
Message-id: <ZaG5JGKW/SzzzVd7@pisco.westfalen.local>

Source: qt6-base
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2023-51714[0]:
| An issue was discovered in the HTTP2 implementation in Qt before
| 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and
| 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an
| incorrect HPack integer overflow check.

https://codereview.qt-project.org/c/qt/qtbase/+/524864
https://codereview.qt-project.org/c/qt/qtbase/+/524865/3

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-51714
    https://www.cve.org/CVERecord?id=CVE-2023-51714

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1060693@bugs.debian.org, 1060693-done@bugs.debian.org
Cc: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>, Patrick Franz <deltaone@debian.org>
Subject: Re: Accepted qt6-base 6.4.2+dfsg-21 (source) into unstable
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 13 Jan 2024 21:04:14 +0100
Message-id: <[🔎] ZaLsvtJFUZ2HLPsj@eldamar.lan>
Mail-followup-to: 1060693@bugs.debian.org, 1060693-done@bugs.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>, Patrick Franz <deltaone@debian.org>
In-reply-to: <E1rOf8y-00DCsN-NH@fasolo.debian.org>
References: <E1rOf8y-00DCsN-NH@fasolo.debian.org>

Source: qt6-base
Source-Version: 6.4.2+dfsg-21

On Sat, Jan 13, 2024 at 02:37:52PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sat, 13 Jan 2024 14:53:25 +0100
> Source: qt6-base
> Architecture: source
> Version: 6.4.2+dfsg-21
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
> Changed-By: Patrick Franz <deltaone@debian.org>
> Changes:
>  qt6-base (6.4.2+dfsg-21) unstable; urgency=medium
>  .
>    [ Patrick Franz ]
>    * Add patch to fix CVE-2023-51714.
> Checksums-Sha1:
>  0b79f91facc70ff2c8372b5c8cdc04a11b75032f 5074 qt6-base_6.4.2+dfsg-21.dsc
>  ae643df52b95dde7b50df35170f22cc88c0f98dc 191336 qt6-base_6.4.2+dfsg-21.debian.tar.xz
>  3ff1fbc0f52abf5df663850fb861019b0c07ae98 9914 qt6-base_6.4.2+dfsg-21_source.buildinfo
> Checksums-Sha256:
>  8b157fff163ce358b7bef601b34f76fc9c8355e3e2d2f9b775c1ede14c394d30 5074 qt6-base_6.4.2+dfsg-21.dsc
>  488f844e6401f7abbbec9c441ab14a6d5551884575334035c159ca2525b60bee 191336 qt6-base_6.4.2+dfsg-21.debian.tar.xz
>  0ce2b7615e075ae1a2ab2185a34a30692189341c6202a188ca8bce8536b5c4aa 9914 qt6-base_6.4.2+dfsg-21_source.buildinfo
> Files:
>  ad899a600ed30c68847c4fb2c13f5d5c 5074 libs optional qt6-base_6.4.2+dfsg-21.dsc
>  03c4f298d4059de4fb7ec27ffa1070fa 191336 libs optional qt6-base_6.4.2+dfsg-21.debian.tar.xz
>  21d86d79bf7e33fda531d318d5d0483d 9914 libs optional qt6-base_6.4.2+dfsg-21_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmWimg4ACgkQnp96YDB3
> /lYf1hAAmd946X+IWG72//eJxbvO+HTMMm1mz5xzkQ2OCPhd6x5QGlV8EA0FkqEF
> HLwYhoKcFdhHzmlq4jlcC7IGWY7hLWrBZdEKGaiIQ1Y9b2tqICw/FO4KNoFDR467
> bonRIIM9+g8oxq1fPAfiY+j2Rc8609W6SvMQPT1dRslQtYRf9W72V6e61VGXapy7
> /POAqt1cYh1U8GYTszzffQqkcmGTGbBG/bj9JjsAL6BJ4wCOVaymDg6qWMaijw1P
> oOaFWjJ0wh16fQuOK2H63P9nI5jkH2EDbYfmFzY98U4sqB1fLdpCr3P0mTN2bz5U
> 4WBmnxFqGq067zg9y8qaiZV/Is2gd6jzyxSkv/fz54sJAxnieY4RNTvZPGDpOv3Y
> rHP+Z+txeNIh0DIT4RSq28M4vEpnCogh426a6cV9iWflzN2VR36WNVl5W6HCGBQf
> Owf04xPxRniqajmwIktZEELLIgCf+N9nKRhUNapRgwFMl4mPsSWGaI4iDHRiWI/H
> 8NNlEKtsuYBYOJNTq6wW/lHgqh39rkbEjwdUJjR7fCY1KV4lEd9MzDeERUU/vVZ5
> WwU/fYkjlueJZBRCFU8U6ARbnv1xuB0TOwV2R/OcHvdGtZJtwo7JT8X/2YfhjeFv
> 3BED/PE4+biaDK6V6aWv29kYF9sp2L2YM6mqBdl9A0i5yYMckW0=
> =j512
> -----END PGP SIGNATURE-----
>

--- End Message ---

Reply to:

References:
- Re: Accepted qt6-base 6.4.2+dfsg-21 (source) into unstable
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1060693: qt6-base: CVE-2023-51714
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: Accepted qt6-base 6.4.2+dfsg-21 (source) into unstable
Next by Date: Processing of qttools-opensource-src_5.15.12-2_source.changes
Previous by thread: Bug#1060693: qt6-base: CVE-2023-51714
Next by thread: Bug#1060694: qtbase-opensource-src: CVE-2023-51714
Index(es):
- Date
- Thread